20 comments

[ 3.8 ms ] story [ 44.5 ms ] thread
Huge respect to co9 for playing a great game this year. They really went all out, and deserved the win. I'm extremely proud of the progress my team made throughout DEFCON, and we were still always a solid 10 - 15 hours behind them.

This year, co9 actually took the social engineering game to a new level, and registered vanity domains, like http://assimilate.today. They hid puzzles on them that tied into 1o57's game, then they'd leak the domains to other teams playing, and trick them into spending hours solving puzzles that had no solution.

In the case of assimilate.today, I spent hours decoding it to different phone numbers, pointing everywhere from Bermuda to Thailand, and probably woke up a few dozen innocent people with phone calls.

If you like puzzles, riddles, or cryptography, I highly recommend the DEF CON badge challenge. It isn't for everyone, but it's one of the closest things I've found to a real life rendition of an old point and click adventure game.

I'm glad you had a fun experience. I hope your team comes back next year for Mystery Challenge!
Reading the recaps for these is always so fun. I hope this continues to get more ridiculous every year. Congrats to co9. Very well done, and a nice recap to boot.
Reading these just totally boggles my mind.

Example:

This page contained various hand signals instructing a painting of a dog. Someone on our team quickly recognized these as Curwen Hand Signs and it is referencing Close Encounters of the Third Kind.

In what possible world is someone encoding a message in an obscure (even if taught in 5th grade) musical notation hand signal format and then a team just happens to have someone that knows that? Rare breed indeed.

You have to remember that the sorts of people who dedicate themselves to winning the badge challenge are the same sorts of people who study ancient languages and codes in their free time. Most people playing the challenge probably wouldn't recognize the encoding, but it doesn't surprise me that the winning team did.
I have hunch anyone that is a big fan of Close Encounters would recognize the hand signals. It happens in a pretty significant part of the movie.
That sort of thing sounds pretty ordinary for an MIT Mystery Hunt puzzle.

It's remarkable all the sorts of crazy things a large collection of puzzle loving people know collectively.

That solve was impressive even for our team. He said the answer out loud before most of the team had even finished loading the next page.

Most of LosT puzzle pages take at minimum an hour to solve. They are designed to pull you in multiple directions when you first receive them.

e.g. https://lostboy.net/ExecutionTwoMiniatureSteelChameleonMuteS...

Look at the image names in the source. They're all actors in the movie Lost Boys. It also has nothing to do with the page and was there to mislead you. That alone takes at least one member of your team down a 20-30 minute rabbit hole.

Was there anything on the electronic badge? I like that the challenge didn't require bringing a ton of not-at-all-TSA-friendly EE equipment, but is there a good link to what was up with the badge beyond it being an Intel Quark?
I overheard someone talking about there being timed strings outputted to the serial lines on the badge (And the TX, RX and GRND pins were not together) but take that as conjecture and I was too shit/lazy to check while there, so unconfirmed here.

I'm surprised that solving the badge didn't utilise anything that was in the badge.

I brought a pretty minimal set of tools, and I was surprised that I had no additional scrutiny! I think they maybe scanned my bag more than once, but that's about it.

For an idea of what I had, this is off the top of my head: Bus Pirate, Bus Blaster, 2xRTLSDR, extra USB-WiFi, multimeter, screwdriver set, probably 4 ethernet cables, small travel router, several antennas (which showed up pretty cool on the x-ray!), hmmm... I think that's about it. And I was travelling from Canada.

It was a bit odd that the badge did not have any significant connection to the challenge this year. In past years, there was enciphered text that was viewable either with the correct button presses, or by dumping the ROMs, which was used as parts of a needed OTP. It was also a new-to-DC x86 processor.

It did output strings of text on a serial pin (GPOI01 ? if memory serves). I was (wrongly) guessing that the badge would have been like a chip-and-pin credit card, requiring certain inputs to get proper outputs. Again I was overthinking!

I'm not reading the article or comments, to stay pure, but I just wanted you all to know I'm like halfway done making my skull badge into a web server.
hahaha! That's awesome! I'd love to read a blog post about it when you're done if you're willing to write one up :)
Reading about this reminded me of Cicada 3301 from a few years ago. Did anyone ever find out the purpose/meaning of those puzzles?

Edit: It looks like there were new puzzles in 2015 and 2016! So this thing is still ongoing...

I can't speak for Cicada, but I have friends who got their start in the intelligence community from similar sets of puzzles. They'd solve a bunch of random crypto / reversing problems they found online, and end up receiving invitations to interview for IC jobs.

It wouldn't surprise me if Cicada were something similar, but I have nothing to base that assumption on but anecdote.

This writeup is insane (and congrats!).

How long does it take Lo57 to make these challenges?

The DC badge is generally pretty cool, though I seem to be on a cycle where I go for the non-electronic years.

Last year was my first time actually being in the DC program and not just an attendee. I got a rudimentary version of Hacker Jeopardy running directly on an old parallax-based badge (DC20 and 22 I think) and demo'ed it to lots of people with a couple buddies of mine. It was a good time!! Unfortunately I think a lot of people were under the impression the badge was connected to a computer; we should have made it more clear the badge was running the whole show.